With the rapid growth of the Internet and computer network technology in general, network security has become a major concern to companies around the world. The fact that the tools and information needed to penetrate the security of corporate networks are widely available has only increased that concern.
Confidential information normally resides in two states on a computer network. It can reside on physical storage media, such as a hard disk or memory of a device such as a server, or it can reside in transit across the physical network wire in the form of packets. A packet is a block of data that carries with it the information necessary to deliver it, analogous to an ordinary postal letter that has address information written on the envelope. A data packet switching network uses the address information contained in the packets to switch the packets from one physical network connection to another in order to deliver the packet to its final destination. Gateways and routers are devices that switch packets between the different physical networks. The format of a packet is usually defined according to a certain protocol. For example, the format of a packet according to the widely-used Internet protocol (IP) is known as a datagram.
These two information states present multiple opportunities for attacks on a company's internal network, as well as on the applications and user devices running on the network or at a data center (DC). An attack is simply when a person or machine accesses information without authorization, or when they attempt to do something undesirable to a network or its resources. By way of example, an IP spoofing attack occurs when an attacker outside of an internal network pretends to be a trusted computer either by using an IP address that is within the range of IP addresses for that network or by using an authorized external IP address that is trusted to access specified network resources.
Application layer attacks exploit well-known weaknesses in software commonly found on servers. By exploiting these weaknesses, attackers can gain access to a computer with the permissions of the account running the application, which is usually a privileged, system-level account. Newer forms of application layer attacks take advantage of the openness of technologies such as the HyperText Markup Language (HTML) specification, web browser functionality, and the HyperText Transfer Protocol (HTTP) protocol. These attacks, which include Java applets and ActiveX controls, typically involve passing harmful programs across the network and loading them through a user's web browser. (A web browser is a software application used to locate and displays web pages.)
The HTTP protocol is the underlying protocol used by the World Wide Web (www). Basically, HTTP defines how messages are formatted and transmitted, and what actions web servers and web browsers should take in response to various commands. For example, when a person enters a uniform resource locator (URL; the global address of documents on the World Wide Web) in a browser, this sends an HTTP command to the web server, directing it to fetch and transmit the requested web page.
HTTP is a stateless protocol; that is, it does not inherently correlate request/response messages with earlier transactions between the same client and server. Cookies have been developed as a mechanism to overcome this deficiency in the HTTP protocol. A cookie is simply a token or message given to a web browser by a web server/application. Each cookie has a domain and a path. The domain tells the browser to which web domain the cookie should be sent, and the path specifies a directory where the cookie is active. Each cookie also typically has an expiry date, after which time it is trashed. The client web browser typically stores the cookie in a text file. The cookie is then sent back to the server each time the browser requests a page from the server. The main purpose of cookies therefore is to indicate a specific client state in an application, and to identify clients/users and possibly prepare customized web pages for them. By way of further background, U.S. Pat. No. 6,851,060 describes a mechanism to dynamically present basic authentication and cookie information to a web browser user.
Unfortunately, the security provided by most web browsers is often inadequate, especially in situations where the cookie generated by the server has user or subscriber identity information and/or credentials. For example, it is fairly easy for an attacker to intercept or “mine” a cookie, analyze it, and possibly tamper with the cookie. In other cases, unscrupulous hackers or others may attempt to steal credentials contained in a cookie in order to impersonate a person/client. Cookie “poisoning” is a known technique mainly for achieving impersonation and breach of privacy through manipulation of session cookies. Using this technique, an attacker can impersonate a valid user and thus gain information and perform actions on behalf of the victim.
A number of different security devices and techniques have been developed to combat the problem of security attacks. One type of device that is typically used to control data transfer between an internal, private network and an open, external network such as the Internet is known as a “firewall”. Firewalls are usually routers that are configured to analyze and filter data packets entering an internal network from an external network source. For example, U.S. Pat. No. 6,154,775 teaches a computer network firewall that authorizes or prevents certain network sessions using a dependency mask, which can be set based on session data items such as the source host address. Additionally, U.S. Patent Publication No. 2002/0055912 teaches a network consisting of member users and member vendors along with a method of protecting users by cookie-removal protection when browsing a non-member site.
U.S. Patent Publication No. 2004/0111635 teaches an information processing system and method that includes a cookie encryption scheme in a firewall unit to defend against TCP-based denial of service (DoS) attacks. One of the drawbacks of many cookie encryption schemes of application firewall devices is that signature databases must be constantly updated, and the system must be able to compare and match activities against large collections of attack signatures. That is to say, they only operate on known attacks. In addition, if signatures definitions are too specific, or if the thresholds are incorrectly set, these intrusion detection systems may miss variations on known attacks. The application firewall thresholds and signatures also need to be configured for each branch/installation of the network. For a large corporation (e.g., an international bank) the overhead associated with maintaining the signature database information can be costly.
Similar to firewalling, another prior art approach aimed at achieving network/application security is the use of a security engine or network security box that is installed at the gateway to the data center network containing the server forms and application servers. The security engine functions to intercept traffic coming from the servers, inspect the data packets, and extract the cookie from the data packets. In what is commonly known as state-full cookie security, the extracted cookie may be encrypted, with the encrypted contents of the cookie being stored on the security engine. The data packet with the plain text cookie is then sent across a network to the destination endpoint device (i.e., the client browsing the specific server). Upon return transmission, an entering packet passes through an inbound interface of the security engine. Here, the packet is checked against a state-full session table and passed forward to the application server if it is identifies as part of an already established flow. If the packet is identified as part of a new session it may be checked against an access-list. In this latter case, the cookies of the incoming packets may be extracted, encrypted, and then checked against a database of stored encrypted cookies.
One drawback of the state-full cookie security approach is that it requires significant computational and data storage resources to maintain the state information of all the different traffic flows. The time it takes to extract and encrypt cookies of incoming packets also makes the state-full approach vulnerable to denial of service attacks. Additionally, confidentiality of the information is potentially compromised since the plain text form of the cookie is still transmitted across the network all the way to the client endpoint device.
In view of the aforementioned problems in the prior art there remains an unsatisfied need for a mechanism capable of protecting cookies from being tampered or mined for their contents or structure, while obviating the need for maintaining a large record or database of the cookies on a network security device.